ECSH33356 - Evidence of verification: documentary evidence
When verifying identity, businesses will accept a range of documents from a number of different sources. Each document will verify different elements of the customer information and vary in reliability.There is a broad hierarchy of documents shown in Joint Money Laundering Steering Group (JMLSG) guidance starting at section 5.3.36, for example:
- Government or court issued documents.
- Documents issued by other public sector bodies or local authorities.
- Documents issued by banks or other financial institutions.
- Documents issued by other firms subject to Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).
- Documents issued by other organisations.
You should have already established the kind of documents the business accepts, when confirming the business’s policies, controls and procedures (PCPs). You should also read the sector specific guidance and the published guidance for specific business types on GOV.UK. You should also understand where and how documents are stored, such as whether they are they stored electronically or in paper form and how long they are stored for.
Before looking at documents you should already have discussed the business’s relationship with the selected customer. Establish who the business has identified and verified in relation to its customer and why it decided to verify the individuals it did (for example, the customer, the customer’s beneficial owner, or anyone acting on behalf of the customer). You can then decide if the documents held satisfactorily verify the customer’s information.
Private individuals
To verify the identity of natural persons, examples of documents may include:
- Passport
- Photo card driving licence
- National identity card
- Firearms certificate
- Identity card issued by the Electoral Office for Northern Ireland
These are likely to verify the name and appearance of the customer, but it is important to establish what customer information the business was verifying when it gathered a particular document. For example, if a business holds a copy of a customer’s driving licence, it may have been obtained to verify the likeness of the customer, to verify the customer’s address, or both. If the business is unable to explain why it has gathered the documents it has, it is unlikely that it is taking a risk-based approach to customer due diligence (CDD).
A customer may not have any standard ID documents shown in PCPs (for example, if they don’t drive and have not travelled abroad for a long time). A business may therefore exceptionally decide to lower its standards of evidence to accept non-standard forms of ID, where the transaction or business relationship represents a low risk of money laundering or terrorist financing. This does not necessarily mean there has been a breach of MLR 2017 and ultimately you need to decide whether the business has taken reasonable steps to verify the individual’s identity. If you decide it has not, you will also need to consider whether there were grounds to cease the transaction.
Where the business is in a business relationship with its customer and the documents have expired, follow the guidance for ongoing monitoring.
Non-UK residents
If the business’s customer is a non-UK resident, you should establish what identity documents were obtained. If the customer travelled to the UK, you would expect verification to be by a passport valid for travel. You should check what the business does if it does not think a document is genuine. Did it review the descriptions and images of official documents from different countries listed on Online service at Public Register of Authentic travel and identity Documents Online (PRADO)? You can also use the information on this website to satisfy yourself that the documents used for verification appear to be genuine.
If
documents are in a foreign language, follow the guidance at ECSH33720.
The business may have accepted a
visa as a form of identity. The visa will show what permissions the individual
has been granted to enter and remain in the UK (such as Student visa), the
dates the visa is valid and conditions of the visa (such as ‘No work’ or
‘Restricted work’). You can find out more information on GOV.UK.
Companies
To verify a customer who is a body corporate, the business may have retained copies of:
- Companies House screenshots/print outs where the customer is a company incorporated in the UK, limited liability partnership, community interest company, or an overseas entity who owns or wants to buy, sell or transfer land or property in the UK as required on the Register of Overseas Entities. The business may have used this to confirm the registered office address, the incorporation details, directors, and persons with significant control, financial position in its latest annual accounts.
- An equivalent register to Companies House where the customer is an overseas entity.
- Certificate of incorporation verifying the business’s name, registration number and incorporation date.
- Memorandum of association – a legal statement signed by all initial shareholders or guarantors agreeing to form the company.
- Articles of association – setting out how the company is to be run, owned and governed.
- Beneficial ownership information through reviewing share certificates, the shareholder register, board meeting resolutions and power of attorney documents. These may have been cross-checked with checks to government and other databases such as vehicles and land registries.
- Checks to the London Stock Exchange and equivalent for public companies
- Business licences and contracts - if a business licence is required but not held, the activity is likely to be illegal.
- Checks to the Economic Crime-Supervision register - if a customer is required to be registered but is not, has the business informed HMRC? Checks to other supervisors’ registers (for example, the Financial Conduct Authority).
- Electronic verification checks undertaken on individuals and companies, so you might see these for either the customer which is a company, or the beneficial owners (BOs) of that company.
- Results of credit checks – these may have been obtained for commercial reasons rather than to mitigate a risk of money laundering and terrorist financing but may verify elements of the customer’s identity.
Please note, regulation 28(9) MLR 2017 sets out that that a business cannot rely solely on the information contained in the register of people with significant control contained in, for example, Companies House, to fulfil its obligations to:
- Identify the BO.
- Verify the identity of the BO.
- Understand the ownership and control structure of the company/other legal entity.
It must have used other sources to confirm the information, such as those listed above.
Make sure the records you are reviewing match the name of the customer. Particularly when the body corporate is owned by a parent company which is owned by another company, they can sometimes have very similar names for example ‘Customer LTD’ is owned by ‘Customer UK LTD’ which is owned by ‘Customers UK LTD,’ which is owned by ‘Customers EU Ltd.’ You should take your time and review the documents methodically.
For documents verifying other legal persons, trusts, foundations or similar legal arrangement you should follow the same principals as above, to ensure it meets the requirements set out in in ECSH33329 and JMLSG.
If you need help assessing any of the above documents, please seek additional support.
Proof of address
A business may have verified a customer’s address by way of:
- A bank statement in the customer’s name.
- Utility bill for services to the customer’s residential address and/or a company’s trading address (depending on whether the information being verified is for an individual (say, a beneficial owner) or the business itself).
- Council tax bill or other rents/rates.
- Other bills which verify customer information, for example a phone bill (which should also verify the contact number for the customer).
You should establish whether the document was a physical letter posted to the address, or printed from the internet, and how the business protects itself from the risk of forgery. If the letter is addressed to a PO box, this does not confirm the customer’s address. Always investigate if there have been any alternative steps taken to verify the address. For example, did the business conduct an introductory meeting at the customer’s address or were goods delivered to the customer’s trading address? What records does the business have to evidence this?
You should establish how recent the proof of address document should be, as set out in the business’s PCPs. You can then check the business is meeting these standards, by checking the date of the transaction or start of the business relationship against the date on the ID document. For example, you test a transaction that was conducted in December 2023 and note that a utility bill verifying the customer’s address was obtained dated October 2022. Is the business able to explain why the customer didn’t or couldn’t provide a more recent document? What additional checks, if any, did it carry out? Are these documented? What are the procedures for exception reporting, where a customer can’t meet the agreed standards, and have they been followed?
How are documents obtained?
You must understand how the business obtained the document. For example, did the business meet the customer in person for the purposes of verification and was a copy taken there and then, or was the document seen in person, but a copy later received digitally, for example by email.
If customers are not met face to face to carry out likeness checks, what steps has the business taken to mitigate the risk of personation fraud? Consider the type of business/model and whether it may be unusual for the business not to meet the customer in person.
You should establish what measures the business took to verify the document was genuine. There is further information on how to prove and verify an individual on GOV.UK, including how to assess the validity of a document.
Certified documents
If you see certified copies of documents within business CDD records, ask the business how and why they were certified. Did the business carry out any checks on the person certifying the document? You should ensure the business has followed the guidance on GOV.UK, such as checking the person certifying the document is a professional person or someone well-respected within the community.
Who reviews the documents?
You should establish who in the business conducted the CDD checks you are testing and consider whether they received appropriate instructions on how to review documents to verify customer information. Any issues you find may indicate the training in how to recognise suspicious activity and controls are not effective.
You should determine who in the business monitors and manages compliance with CDD procedures (required by regulation 19(3)(e)). For example, confirm the escalation routes/exception reporting procedures and who carries out reviews/audits of CDD measures. Again, you will need to decide if such individuals have received appropriate instructions in how to carry out these audits. How are the results reported to the senior management team and what actions has the business taken to correct any issues identified? Have suspicious activity reports (SARs) been raised retrospectively as a result of the review?
When were the checks conducted?
You will need to confirm when the checks
were conducted. Refer to the further guidance in this chapter on timing of
verification.
Reliance arrangements
If a business has used a reliance arrangement for a transaction or customer you are testing, you will still need to review the CDD measures that were taken. You will need to review copies of documents when the business has obtained them from the party on whom they are relying, in an agreed timeframe. Remember, the business remains liable for any failures.
Identifying breaches
After viewing the documentary evidence, you need to be satisfied that the business is complying with its obligation to verify customers’ identity and following its stated PCPs. If not, you will need to establish why not.
Depending on the type of transaction the customer carried out, you may need to ask follow-up questions about information shown in the documents. For example, if a customer does not have right to work in the UK but regularly transacts with the business, has it verified the customer’s source of funds?
If the business has failed to appropriately verify a customer under regulation 28 MLR 2017, there is also likely to be a corresponding breach of regulation 19 MLR 2017.
To confirm the business has carried out checks on the correct people and that the information obtained is accurate, you should check the information yourself, where possible. For example, by checking the information held on Companies House, sanctions checks, adverse media, and so on.
(This content has been withheld because of exemptions in the Freedom of Information Act 2000)